Skip to main content
Fundamentals

FortiClient EMS Emergency Patch: What Australian Businesses Need to Do Now

Jannis Herbst·8 April 2026·6 min read
FortiClient EMS Emergency Patch: What Australian Businesses Need to Do Now

Fortinet released an emergency patch this weekend for a critical vulnerability in FortiClient Enterprise Management Server (EMS). The flaw, tracked as CVE-2026-35616, allows attackers to run commands on your server without needing a username or password. If your business uses FortiClient EMS to manage endpoint security, this needs to be patched today.

What Is FortiClient EMS and Who Uses It?

FortiClient EMS is a centralised management platform for Fortinet's endpoint security software. Businesses use it to push security policies, manage antivirus and firewall settings, and monitor the security posture of every device on their network from a single console.

It is popular with small and mid-sized businesses that have deployed FortiClient across staff laptops, desktops, and servers. If you have a Fortinet environment, there is a good chance FortiClient EMS is running somewhere on your network.

For many businesses, this is the system that keeps all their other security tools in check. It is the control plane for your endpoint defences.

If you are not sure whether your business uses FortiClient EMS, ask your IT provider today.

Why This Vulnerability Is as Serious as It Gets

CVE-2026-35616 is an improper access control flaw. In plain terms: an attacker does not need to be logged in, or even have valid credentials, to exploit it. They can send specially crafted requests to your EMS server and gain the ability to run commands directly on your infrastructure.

This is not a theoretical risk. Fortinet confirmed the vulnerability is already being actively exploited in the wild. Security watchdog Shadowserver found over 2,000 exposed FortiClient EMS servers accessible on the public internet. Attackers are actively scanning for vulnerable targets.

If your EMS server is reachable from the internet and has not been patched, consider it a target.

An attacker who compromises your endpoint management platform is in a powerful position. From there, they can:

  • Disable security policies across every managed device on your network
  • Push malicious software to all company laptops and desktops at once
  • Create hidden backdoors that survive a system reinstall
  • Silently exfiltrate sensitive business and client data before detection

This is why CISA, the US government's cybersecurity agency, issued an immediate directive ordering federal agencies to patch. They did not wait for a normal patch cycle.

How to Check If You Are Affected

The vulnerability affects specific versions of FortiClient EMS. Your server is at risk if it is running:

  • FortiClient EMS 7.4.5
  • FortiClient EMS 7.4.6

To check your version:

  1. Log into the FortiClient EMS console with administrator credentials
  2. Navigate to System > Dashboard
  3. Look for the version number in the system information panel

If you see either of those versions, apply the patch immediately. If you are running an older version, check Fortinet's official security advisory as additional versions may also be affected.

If your EMS server is accessible directly from the internet, treat this as a priority-one incident and act now.

How to Fix It

Fortinet released a hotfix specifically for this vulnerability. Here is what to do:

  1. Log into your FortiClient EMS server with administrator credentials
  2. Go to System > Firmware/Updates in the console
  3. Download and apply the available hotfix for your installed version
  4. Restart the EMS service if prompted
  5. Verify the patch applied by checking the version number in the dashboard after the restart

If you use a managed IT provider or Fortinet reseller, contact them now and ask them to confirm the hotfix has been applied. Do not assume it has been handled automatically.

Additional Steps to Reduce Exposure

While you are making changes, take a few extra minutes to harden your setup:

  • Restrict network access: FortiClient EMS should not be directly accessible from the public internet. If it is, put it behind a VPN or firewall rule that limits access to internal networks or trusted IP addresses only.
  • Audit administrator accounts: Remove any admin accounts that belong to former staff or that are no longer actively used.
  • Enable and review logs: Confirm that login attempts and configuration changes are being logged. If you have a security monitoring tool, make sure EMS logs are feeding into it.

The Patching Speed Problem for Small Businesses

Most businesses patch on a schedule, whether monthly, quarterly, or when their IT provider gets to it. This incident highlights why that approach is not adequate for critical vulnerabilities.

Fortinet released this patch over a weekend because exploitation was already underway. The urgency was not theoretical. The moment a patch is released for an actively exploited flaw, the clock is running. Attackers can reverse-engineer a security update to understand the underlying vulnerability, and they move fast.

The window between a patch release and widespread exploitation is measured in hours, not days.

For small businesses across Australia, this is a practical problem. You may not have dedicated IT staff watching vendor security bulletins. You may rely on an IT provider who patches on a schedule. And your endpoint management platform, the very system designed to protect your business, could be left exposed for weeks.

The FortiClient EMS case is a useful example of a category of risk that does not get enough attention: vulnerabilities in the security tools themselves. Firewalls, endpoint managers, and VPN gateways are high-value targets precisely because compromising them undermines everything else.

What Good Looks Like

A well-managed small business cyber security posture includes:

  • A process for receiving and acting on critical vendor security bulletins within 24-48 hours
  • Clear responsibility assigned to either internal staff or an IT provider for emergency patch response
  • Regular confirmation that patches have actually been applied, not just scheduled

If your current IT arrangement does not include emergency patching protocols, this is worth raising.

Summary

CVE-2026-35616 is being actively exploited right now. If your business runs FortiClient EMS 7.4.5 or 7.4.6, patch it today. Verify the fix has been applied, restrict public access to your EMS server, and review who has administrator access.

This is also a good moment to ask your IT provider how they handle emergency patches when a critical vulnerability drops on a Friday night. The answer will tell you a lot about your real security posture.

If you want to understand where your business stands and make sure critical vulnerabilities are being addressed before they become incidents, get in touch with Cubit Cyber. We help Australian businesses stay ahead of threats without the complexity.

Free Assessment

How secure is your Microsoft 365?

12 questions. Instant score across 5 security categories. Takes 3 minutes. No login required.

Take the Free Assessment →

Related articles

Fundamentals

How much does a cyber security assessment cost in Australia? (2026)

5 min readFundamentals

Penetration testing cost in Australia 2026: what you actually get for $5k vs $25k

9 min readFundamentals

Employee Offboarding Security: The Access That Stays Behind

8 min read

Stay sharp

Get practical security tips, monthly.

Plain English. No jargon. No spam. Unsubscribe any time.

Ready to protect your business?

Get a free, no-obligation security assessment quote tailored to your business.

Get a Free Quote →Book a Free 15-Min Call